Biblio

The security of logic locking has been called into question by various attacks, especially a Boolean satisfiability (SAT) based attack, that exploits scan access in a working chip. Among other techniques, a robust design-for-security (DFS) architecture was presented to restrict any unauthorized scan access, thereby, thwarting the SAT attack (or any other attack that relies on scan access). Nevertheless, in this work, we successfully break this technique by recovering the secret key despite the lack of scan access. Our security analysis on a few benchmark circuits protected by the robust DFS architecture demonstrates the effectiveness of our attack; on average 95% of the key bits are correctly recovered, and almost 100% in most cases. To overcome this and other prevailing attacks, we propose a defense by making fundamental changes to the robust DFS technique; the new defense can withstand all logic locking attacks. We observe, on average, lower area overhead ( 1.65%) than the robust DFS design ( 5.15%), and similar test coverage ( 99.88%).

Logic locking, and Integrated Circuit (IC) Camouflaging, are techniques that try to hide the design of an IC from a malicious foundry or end-user by introducing ambiguity into the netlist of the circuit. While over the past decade an array of such techniques have been proposed, their security has been constantly challenged by algorithmic attacks. This may in part be due to a lack of formally defined notions of security in the first place, and hence a lack of security guarantees based on long-standing hardness assumptions. In this paper we take a formal approach. We define the problem of circuit locking (cL) as transforming an original circuit to a locked one which is ``unintelligable'' without a secret key (this can model camouflaging and split-manufacturing in addition to logic locking). We define several notions of security for cL under different adversary models. Using long standing results from computational learning theory we show the impossibility of exponentially approximation-resilient locking in the presence of an oracle for large classes of Boolean circuits. We then show how exact-recovery-resiliency and a more relaxed notion of security that we coin ``best-possible'' approximation-resiliency can be provably guaranteed with polynomial overhead. Our theoretical analysis directly results in stronger attacks and defenses which we demonstrate through experimental results on benchmark circuits.

This paper discusses the detection of hardware Trojans (HTs) by their breaking of symmetries within integrated circuits (ICs), as measured by path delays. Typically, path delay or side channel methods rely on comparisons to a golden, or trusted, sample. However, golden standards are affected by inter-and intra-die variations which limit the confidence in such comparisons. Symmetry is a way to detect modifications to an IC with increased confidence by confirming subcircuit consistencies within as it was originally designed. The difference in delays from a given path to a set of symmetric paths will be the same unless an inserted HT breaks symmetry. Symmetry can naturally exist in ICs or be artificially added. We describe methods to find and measure path delays against symmetric paths, as well as the advantages and disadvantages of this method. We discuss results of examples from benchmark circuits demonstrating the detection of hardware Trojans.